China Issues Final Rules for Cro...
China Issues Final Rules for Cross-Borde...

China Issues Final Rules for Cross-Border Transfer Security Assessments

These measures lay out the conditions, procedures, and next steps to follow when executing overseas transfers

Alexis Kateifides OneTrust Senior Center of Excellence Counsel

clock3 Min Read

Featured Image

The Cyberspace Administration of China (CAC) issued a set of final rules that will apply to organizations looking to conduct overseas transfers of data out of the People’s Republic of China. These rules build off a draft version, issued at the end of October 2021, and follow other recent developments (e.g., the CAC SCCs draft, and the TC260’s Technical Specification for the Certification of Cross-Border Processing of Personal Information). 

The final rules cover the following points: 

Cross-border data transfers requiring security assessments 

The CAC has defined which cross-border transfers need to undergo government security assessments. These transfers include:  

  • Transfer of important data 
  • Critical information infrastructure operators and data processors that process PI of more than 1 million individuals 
  • Data processors who have transferred PI of 100,000 individuals or sensitive PI (SPI) of 10,000 individuals abroad since January 1st of the previous year
  • Other situations as stipulated by the CAC 

The term “important data” is defined within the rules as data that may endanger national security, economic operations, social stability, or public health and security if it is tampered with, destroyed, leaked, or illegally obtained or used.  

Procedures and timeline of the CAC security assessment 

Prior to applying for a security assessment, the organization exporting data must also conduct a self-assessment with a report that includes the following points: 

  • Justification of the transfer’s necessity 
  • An assessment of the recipient country’s data protection policies and regulations, and whether the recipient meets requirements under the laws of China 
  • The scope, size, type, and sensitivity of the data and the risks of it being tampered with or destroyed 
  • Whether responsibilities and obligations have been fully stipulated in the contract between the transferor and the recipient 

While the CAC security assessment remains valid for two years, in the case of changes to the transfer circumstances, the recipient country’s data laws, or other major situational changes, a new assessment must be conducted. 

What this means for organizations 

The final rules are set to take effect on September 1, 2022. As with the entry into effect of the PIPL and DSL, this leaves a small amount of time for organizations to prepare for compliance. This means that the affected organizations need to look at their current cross-border transfer mechanisms over the next two months and adjust them accordingly. 

These rules issued by the CAC come on the heels of draft SCCs dealing with the transfer of PI out of China. With the CAC making a clear push to regulate overseas transfers out of China, organizations need to ensure they are on top of these regulations with the appropriate compliance measures in place.  

OneTrust DataGuidance

You Might Also Be Interested In

AUGUST 4, 2022

Kelly Maxwell

AUGUST 1, 2022

Ashlea Cartee

JULY 25, 2022

The Ultimate Guide to Complying with the EU Whistleblowing Directive

JULY 22, 2022

Ashlea Cartee

JULY 21, 2022

Alexis Kateifides

JULY 21, 2022

Michele Muriyan

JULY 20, 2022

Angela Potter

JULY 19, 2022

Alexis Kateifides

Onetrust All Rights Reserved